Home / malware Backdoor:Win32/Dedipros.A
First posted on 08 May 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Dedipros.A is also known as Backdoor:Win32/Dedipros.A (other).
Explanation :
Backdoor:Win32/Zegost.Z is a trojan that communicates with a command and control server to allow unauthorized access and control of your computer.
Installation
If this trojan is run, it drops a copy of the Dedipros into the Windows system folder, as in the following example:
- C:\Windows\System32\nwcworkstationex.dll
During installation of the trojan, registry data is modified to run the malware when you start Windows.
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters
Sets value: "ServiceDll"
To data: "<system folder>\nwcworkstationex.dll"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Sets value: "netsvcs"
To data: "<previous data> <malware service name>"
The original copy of the trojan is deleted when the trojan service starts.
Payload
Communicates with a remote server
Backdoor:Win32/Zegost.Z attempts to connect to a remote command and control server to receive instructions that execute other payloads, such as the following:
- Start a process
- Clear the system event log
- Reboot the computer
- Terminate a thread
- Delete a file
- Inject malicious content into a running process
- Download and execute arbitrary programs by issuing the command line parameter "Spider update"
We observed this trojan contacting the following servers for this purpose:
- 222.247.50.11:8000
- jesso.3322.org:7102
Analysis by Hong Jia
Last update 08 May 2012
